5. Configure the firewall with UFW

by Cover Tower - Updated October 11, 2021

UFW or Uncomplicated Firewall, is a tool designed to allow administrators to easily manage the native Debian firewall. Instead of using complicated commands to edit the iptables directly, you can manage the firewall rules very easily using UFW. First install UFW:

apt-get install ufw

5.1. Set the default firewall rules

In general, a server only needs a small number of ports open for incoming connections, while all the other ports should remain closed. The ufw default command can be used to set the default response to incoming and outgoing connections. To deny all incoming and allow all outgoing connections, run:

ufw default allow outgoing
ufw default deny incoming

The ufw default command also allows the use of the reject parameter. Please note that the deny and allow rules have no effect until you enable ufw, so, make sure that you set the proper allow rules for SSH and for other critical services as we describe below, before enabling ufw with the default allow/deny rules from above. Otherwise, you may lock yourself out of your server.

5.2. Add firewall rules

Rules can be added in two ways: by specifying the port number or by specifying the service name.

For example, to allow both incoming and outgoing connections on port 80 for HTTP, you can run:

ufw allow 80

or

ufw allow http

5.3. Remove firewall rules

To remove a rule, use the delete command, like this:

ufw delete allow 80

The delete command also allows the use of service names (http, ssh, etc.).

5.4. Allow connections for the custom SSH port

Remember that in the /etc/ssh/sshd_config file, you changed the default SSH port, which is 22, to a custom port, 6283 in our example. This is very important for security reasons but it’s equally important to remember to allow SSH connections on this custom SSH port, otherwise you will lock yourself out of your sever when enabling UFW. To open port 6283 in the firewall run:

ufw allow 6283

Replace 6283 with your custom SSH port. This implies that you won’t open port 22, which is the main target of attackers.

5.5. Add various firewall rules

You can add a rule to deny traffic on a certain port like this:

ufw deny 111

If you do this, when you run the ufw status command to list all the rules implemented by UFW, port 111 will be preceded by DENY, like this:

To                          Action       From
--                          ------       ----
111                         DENY         Anywhere

You can fine-tune your rules, by allowing data packets based on the TCP or UDP protocols. Both commands from below will do the same thing: allow TCP packets on port 80:

ufw allow 80/tcp
ufw allow http/tcp

The following command will allow UDP packets on port 2536:

ufw allow 2536/udp

5.6. Advanced rules

Using UFW you can allow or deny connections based on ports, but also based on specific IP addresses, subnets, or a combinations of IP addresses, subnets and ports.

To allow connections from the IP 111.111.111.111, run:

ufw allow from 111.111.111.111

To allow connections from the 111.111.111.111/24 subnet run:

ufw allow from 111.111.111.111/24

To allow a specific IP address-port-protocol combination:

ufw allow from 111.111.111.111 to any port 4234 proto tcp

proto tcp can be removed or replaced with proto udp depending on your requirements, and all instances of allow can be changed to deny .

To open a range of ports run:

ufw allow 12200:12299/tcp

In the case of port ranges, the protocol part (/tcp or /udp) is mandatory.

5.7. Edit UFW Configuration Files

Before running the rules added using the command line, UFW runs the rules listed in the /etc/ufw/before.rules file, which can be complex rules associated with loopback, pings or DHCP. To add rules to be run before the rules entered in command line, edit the /etc/ufw/before.rules file. A before6.rules file is also located in the same directory for IPv6.

An after.rule and an after6.rule file also exist to add any rules that need to be run after running the rules that you added in command line.

Another important configuration file is the /etc/default/ufw file. In this file, you can enable or disable IPv6 support and configure different default settings.

5.8. Enable UFW

After you have set all your rules, if you run:

ufw status

you will see:

Status: inactive

To enable UFW and apply all the firewall rules that you have set up, run:

ufw enable

Similarly, to disable UFW’s rules, run:

ufw disable

This will still leave the UFW service running and enabled on reboots.

5.9. Reset UFW Rules

If you have set up some UFW rules but you decide that you want to start again, you can use the reset command to disable UFW and delete all the rules added previously:

ufw reset

This will enable you to remove all your changes and start fresh.

5.10. UFW Status

You can check the status of UFW at any moment by running:

ufw status

This will show whether or not UFW is active and will list all the rules added using the command line:

Status: active

To                         Action      From
--                         ------      ----
6283                       ALLOW       Anywhere
80                         ALLOW       Anywhere
443                        ALLOW       Anywhere
6283 (v6)                  ALLOW       Anywhere (v6)
80 (v6)                    ALLOW       Anywhere (v6)
443 (v6)                   ALLOW       Anywhere (v6)

You can list all the rules as a numbered list by running:

ufw status numbered

     To                         Action      From
     --                         ------      ----
[ 1] 2581                       ALLOW IN    Anywhere
[ 2] 6258                       ALLOW IN    Anywhere
[ 3] 6814                       ALLOW IN    Anywhere
[ 4] 6815                       ALLOW IN    Anywhere
[ 5] 443                        ALLOW IN    Anywhere

The big advantage when listing the rules in a numbered list is that you can delete any rule by specifying its number, like this:

ufw delete 2

or

ufw delete 5

After you install all the applications described in this guide, your UFW rules should look like below. (Please note that the ports in red will be custom ports, so, you shouldn’t use the ones shown below. You should replace them with your own custom ports, as we’ll explain for each application when describing how to install it. Don’t open all these ports yet. We’ll explain when to open each of them further down below.)

ufw status numbered
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 6283                       ALLOW IN    Anywhere (SSH)
[ 2] 1053                       ALLOW IN    Anywhere (FTP)
[ 3] 30856                      ALLOW IN    Anywhere (FTP passive)
[ 4] 30857                      ALLOW IN    Anywhere (FTP passive)
[ 5] 443                        ALLOW IN    Anywhere (HTTPS)
[ 6] 80                         ALLOW IN    Anywhere (HTTP)
[ 7] 1194/udp                   ALLOW IN    Anywhere (OpenVPN)
[ 8] 995                        ALLOW IN    Anywhere (POP3S)
[ 9] 993                        ALLOW IN    Anywhere (IMAPS)
[10] 587                        ALLOW IN    Anywhere (STARTTLS over SMTP)
[11] 465                        ALLOW IN    Anywhere (SMTPS)
[12] 143                        ALLOW IN    Anywhere (IMAP)
[13] 110                        ALLOW IN    Anywhere (POP3)
[14] 25                         ALLOW IN    Anywhere (SMTP)
[15] 8443                       ALLOW IN    Anywhere (STUN)
[16] 10000:20000/udp            ALLOW IN    Anywhere (Asterisk)
[17] 5827                       ALLOW IN    Anywhere (Asterisk)
[18] 8088                       ALLOW IN    Anywhere (WebRTC)
[19] 8089                       ALLOW IN    Anywhere (WebRTC)
[20] 53                         ALLOW IN    Anywhere (DNS BIND)
[21] 443 (v6)                   ALLOW IN    Anywhere (v6)
[22] 80 (v6)                    ALLOW IN    Anywhere (v6)
[23] 995 (v6)                   ALLOW IN    Anywhere (v6)
[24] 993 (v6)                   ALLOW IN    Anywhere (v6)
[25] 587 (v6)                   ALLOW IN    Anywhere (v6)
[26] 465 (v6)                   ALLOW IN    Anywhere (v6)
[27] 143 (v6)                   ALLOW IN    Anywhere (v6)
[28] 110 (v6)                   ALLOW IN    Anywhere (v6)
[29] 25 (v6)                    ALLOW IN    Anywhere (v6)
[30] 8443 (v6)                  ALLOW IN    Anywhere (v6)
[31] 10000:20000/udp (v6)       ALLOW IN    Anywhere (v6)
[32] 5827 (v6)                  ALLOW IN    Anywhere (v6)
[33] 8088 (v6)                  ALLOW IN    Anywhere (v6)
[34] 8089 (v6)                  ALLOW IN    Anywhere (v6)
[35] 53 (v6)                    ALLOW IN    Anywhere (v6)
You can send your questions and comments to: